ldap filter: skip empty emails by default, fix ldap sync (case insensitive email comparison, user source difference)

README.md

@@ -145,7 +145,7 @@ The following configuration options are available:
 | LDAP_USER             | user              | ldap        | company\\\\ldap_wireguard                       | The bind user.                                                                                                                       |
 | LDAP_PASSWORD         | pass              | ldap        | SuperSecret                                     | The bind password.                                                                                                                   |
 | LDAP_LOGIN_FILTER     | loginFilter       | ldap        | (&(objectClass=organizationalPerson)(mail={{login_identifier}})(!userAccountControl:1.2.840.113556.1.4.803:=2)) | {{login_identifier}} will be replaced with the login email address.  |
-| LDAP_SYNC_FILTER      | syncFilter        | ldap        | (&(objectClass=organizationalPerson)(!userAccountControl:1.2.840.113556.1.4.803:=2))                            | The filter string for the LDAP synchronization service.              |
+| LDAP_SYNC_FILTER      | syncFilter        | ldap        | (&(objectClass=organizationalPerson)(!userAccountControl:1.2.840.113556.1.4.803:=2)(mail=*))                    | The filter string for the LDAP synchronization service.              |
 | LDAP_ADMIN_GROUP      | adminGroup        | ldap        | CN=WireGuardAdmins,OU=_O_IT,DC=COMPANY,DC=LOCAL | Users in this group are marked as administrators.                                                                                    |
 | LDAP_ATTR_EMAIL       | attrEmail         | ldap        | mail                                            | User email attribute.                                                                                                                |
 | LDAP_ATTR_FIRSTNAME   | attrFirstname     | ldap        | givenName                                       | User firstname attribute.                                                                                                            |

internal/server/configuration.go

@@ -104,7 +104,7 @@ func NewConfig() *Config {
 	cfg.LDAP.GroupMemberAttribute = "memberOf"
 	cfg.LDAP.AdminLdapGroup = "CN=WireGuardAdmins,OU=_O_IT,DC=COMPANY,DC=LOCAL"
 	cfg.LDAP.LoginFilter = "(&(objectClass=organizationalPerson)(mail={{login_identifier}})(!userAccountControl:1.2.840.113556.1.4.803:=2))"
-	cfg.LDAP.SyncFilter = "(&(objectClass=organizationalPerson)(!userAccountControl:1.2.840.113556.1.4.803:=2))"
+	cfg.LDAP.SyncFilter = "(&(objectClass=organizationalPerson)(!userAccountControl:1.2.840.113556.1.4.803:=2)(mail=*))"
 
 	cfg.WG.DeviceNames = []string{"wg0"}
 	cfg.WG.DefaultDeviceName = "wg0"

internal/server/ldapsync.go

@@ -54,6 +54,9 @@ func (s Server) userChangedInLdap(user *users.User, ldapData *ldap.RawLdapData)
 	if user.Phone != ldapData.Attributes[s.config.LDAP.PhoneAttribute] {
 		return true
 	}
+	if user.Source != users.UserSourceLdap {
+		return true
+	}
 
 	if user.DeletedAt.Valid {
 		return true
@@ -83,7 +86,7 @@ func (s *Server) disableMissingLdapUsers(ldapUsers []ldap.RawLdapData) {
 
 		existsInLDAP := false
 		for j := range ldapUsers {
-			if activeUsers[i].Email == ldapUsers[j].Attributes[s.config.LDAP.EmailAttribute] {
+			if activeUsers[i].Email == strings.ToLower(ldapUsers[j].Attributes[s.config.LDAP.EmailAttribute]) {
 				existsInLDAP = true
 				break
 			}
@@ -129,6 +132,7 @@ func (s *Server) updateLdapUsers(ldapUsers []ldap.RawLdapData) {
 
 		// Sync attributes from ldap
 		if s.userChangedInLdap(user, &ldapUsers[i]) {
+			logrus.Debugf("updating ldap user %s", user.Email)
 			user.Firstname = ldapUsers[i].Attributes[s.config.LDAP.FirstNameAttribute]
 			user.Lastname = ldapUsers[i].Attributes[s.config.LDAP.LastNameAttribute]
 			user.Email = ldapUsers[i].Attributes[s.config.LDAP.EmailAttribute]